[jira] [Updated] (SENTRY-2268) Review the required privileges for DDL commands

Tue, 12 Jun 2018 13:21:57 -0700 


     [ 
https://issues.apache.org/jira/browse/SENTRY-2268?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Na Li updated SENTRY-2268:
--------------------------
    Description: 
The privileges required for DDL commands are listed in HiveAuthzPrivilegesMap. 

{code}
addOutputObjectPriviledge(AuthorizableType.Table, 
EnumSet.of(DBModelAction.INSERT, DBModelAction.ALTER))
{code}
means the required output privileges is table level insert OR alter.

{code}
addOutputObjectPriviledge(AuthorizableType.Table, 
EnumSet.of(DBModelAction.INSERT)).
addOutputObjectPriviledge(AuthorizableType.Table, 
EnumSet.of(DBModelAction.ALTER))
{code}

means the required output privileges is table level insert AND alter.

We need to review the privileges to see if they are defined correctly. I 
suspect multiple definitions want to have privileges with AND, but end up 
getting privileges with OR.
We should also check if the privilege level is correct. for example, "insert" 
is table level privilege. It does not make sense to require database level 
"insert".

  was:
The privileges required for DDL commands are listed in HiveAuthzPrivilegesMap. 

{code}
addOutputObjectPriviledge(AuthorizableType.Table, 
EnumSet.of(DBModelAction.INSERT, DBModelAction.ALTER))
{code}
means the required output privileges is table level insert OR alter.

{code}
addOutputObjectPriviledge(AuthorizableType.Table, 
EnumSet.of(DBModelAction.INSERT)).
addOutputObjectPriviledge(AuthorizableType.Table, 
EnumSet.of(DBModelAction.ALTER))
{code}

means the required output privileges is table level insert AND alter.

We need to review the privileges to see if they are defined correctly. I 
suspect multiple definitions want to have privileges with AND, but end up 
getting privileges with OR.


> Review the required privileges for DDL commands
> -----------------------------------------------
>
>                 Key: SENTRY-2268
>                 URL: https://issues.apache.org/jira/browse/SENTRY-2268
>             Project: Sentry
>          Issue Type: Task
>            Reporter: Na Li
>            Priority: Major
>
> The privileges required for DDL commands are listed in 
> HiveAuthzPrivilegesMap. 
> {code}
> addOutputObjectPriviledge(AuthorizableType.Table, 
> EnumSet.of(DBModelAction.INSERT, DBModelAction.ALTER))
> {code}
> means the required output privileges is table level insert OR alter.
> {code}
> addOutputObjectPriviledge(AuthorizableType.Table, 
> EnumSet.of(DBModelAction.INSERT)).
> addOutputObjectPriviledge(AuthorizableType.Table, 
> EnumSet.of(DBModelAction.ALTER))
> {code}
> means the required output privileges is table level insert AND alter.
> We need to review the privileges to see if they are defined correctly. I 
> suspect multiple definitions want to have privileges with AND, but end up 
> getting privileges with OR.
> We should also check if the privilege level is correct. for example, "insert" 
> is table level privilege. It does not make sense to require database level 
> "insert".



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to